The latest version of Kubernetes does not support Docker as a container runtime anymore. That is why many Kubernetes administrators have migrated their cluster’s container runtime from docker to another container runtime like containerd or cri-o. Or they will do that soon.
References
- https://gist.github.com/mamiu/4944e10305bc1c3af84946b33237b0e9
Old: entering a Container as root with Docker
Most containers that run on Kubernetes clusters do not run as root. But what, if you want to test a container and for that, you want to install and test some software manually before you create a new container image? With Docker that was easy. Just enter the container as root (id=0
) and do with the container, whatever you want to do:
docker exec -it --rm -u 0 <container-id> bash
Now, that the containers are no Docker containers anymore, this is not possible anymore.
New: entering a Contaner as root with containerd or CRI-O
Prepare
However, you can runc
to enter the container as root. Say, you want to enter a shell as root user in the container running on my-pod
on my-namespace
. First, you need to calculate the container ID. With that information you can enter the container using runc
like follows:
# INPUT N=my-namespace # CALCULATE POD=$(kubectl -n $N get pod | tail -1 | awk '{print $1}') # or define static POD, if needed: # POD=my-pod CONTAINER_ID=$(kubectl -n $N get pod $POD -o jsonpath="{.status.containerStatuses[].containerID}" | sed 's/.*\/\///')
containerd: Entering a Container as root with runc
If you are using containerd, you now can enter the root session with a single command:
# RUN SHELL AS ROOT sudo runc --root /run/containerd/runc/k8s.io/ exec -t -u 0 $CONTAINER_ID sh
That’s it! You do not even need to install runc
, since runc
is part of the installation package if you have installed containerd.
CRI-O: Entering a Container as root with nsenter
With CRI-O, it is slightly more complex, since crtictl
does not support entering a root session into a container.
# Retrieve host pid: HOST_PID=$(crictl inspect $CONTAINER_ID | jq '.info.pid') # RUN SHELL AS ROOT nsenter -t ${HOST_PID} -a
That’s it! You do not even need to install runc
, since runc
is part of the installation package if you have installed containerd (and I guess, also with cri-o…).
P.S.: If you still need to migrate your Kubernetes cluster from Docker container runtime to containerd runtime, you might be interested in this blog post:
Also, if you want to migrate from containerd to CRI-O, see this blog post: